HBM Ransomware
The HBM Ransomware threat is capable of executing an encryption routine with a strong cryptographic algorithm. As a result, the data on the computers infected with the threat will be encrypted and become inaccessible. Victims will effectively lose access to most of their documents, PDFs, photos, audio and video files, archives, databases and other file types. The locked data will be used by the cybercriminals as leverage to extort money from the impacted users or organizations.
Each file locked by the HBM Ransomware will have its original name changed drastically. The threat will first create a unique ID string for the victims and append it to the file names. Next, it will place an email address under the control of the hackers - 'hebem@cock.li.' Finally, '.HBM' is attached as a new file extension. Victims of the threat will be provided with two ransom notes. One will be shown as a pop-up window, while the other will be dropped on the desktop of the breached device as a text file named 'info.txt.'
The message found in the text file is extremely brief. Here, the attackers simply tell their victims to contact the 'hebem@cock.li' or 'hebem@tuta.io' email addresses. The pop-up window provides a longer ransom note, but it also lacks many important details. The hackers mostly reiterate the two email addresses and warn users that renaming the locked files or trying to decrypt them with third-party tools could cause permanent damage.
The full text of the instructions shown as a pop-up window is:
'YOUR FILES ARE ENCRYPTED
DHARMA
Don't worry, you can return all your files!
If you want to restore them, write to the mail: hebem@cock.li YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:hebem@tuta.ioATTENTION!
We recommend you contact us directly to avoid overpaying agentsDo not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The message delivered as a text file is:
'all your data has been locked us
You want to return?
write email hebem@cock.li or hebem@tuta.io'
